000

¡Supera tus tareas y exámenes ahora con Quizwiz!

Universal groups

Active Directory groups that are used to assign permissions to related resources in multiple domains Membership is stored only in the global catalog and is replicated across the forest

Active Directory Administrative Center (ADAC) Active Directory Users and Computers console

After creating a single user, you can use

In the Tasks pane, under the container name, click New > User

CREATE A USER WITH ACTIVE DIRECTORY ADMINISTRATIVE CENTER

In the Active Directory Users and Computers console, in the left pane, find the domain in which you want to create the user object and select a container in that domain Click Action > New > User. The New Object - User Wizard start

CREATE A USER WITH ACTIVE DIRECTORY USERS AND COMPUTERS

two domain controllers

Every Active Directory domain should have a minimum of

remote domain controller

If the new domain controller is in a site that does not have a domain controller, replication will occur from

automatically

If the new domain controller is located in the same site as another, AD DS replication between the two begin

Windows Server 2016

In ___ you can now install Active Directory Domain Services on a computer running the Server Core installation option and promote the system to a domain controller, all by using Windows PowerShell

•Creating a computer account: You create a computer account by creating a new com-puter object in Active Directory and assigning the name of an actual computer on the network. •Joining the computer to the domain: After you join a computer to the domain, the system contacts a domain controller, establishes a trust relationship with the domain, locates (or creates) a computer object corresponding to the computer's name, alters its security identifier (SID) to match the computer object, and modifies its group memberships.

In addition to creating user accounts in the domain, you need to make sure that the network computers are part of the domain. Adding a computer to an AD DS domain consists of

Windows PowerShell

It also is possible to use CSV files to create user objects with

LDAP Data Interchange Format Directory Exchange (LDIFDE.exe)

Like CSVDE, this utility imports AD DS information and uses it to add, delete, or modify objects, in addition to modifying the schema, if necessary.

computer accounts

Much like user accounts, ___ are assigned passwords when the computer is added to the domain and is automatically maintained between the computer and the domain controllers

global catalogs

One of the primary functions of a ___ is to provide search capability of any object in the forest

Active Directory Users and Computers Advanced Features view

Protect object from accidental deletion option selected; this can only be seen

Windows Server 2012

Starting with ___, you can safely virtualize a domain controller and rapidly deploy virtual domain controllers through cloning. It allows you to quickly restore domain controllers when a failure occurs and to rapidly provision a test environment when you need to deploy and test new features or capabilities before you apply the features or capabilities to production

Domain Naming Master(one per forest)

The Domain Naming Master holds the Domain Naming Master role that controls the addition or removal of domains in the forest Although the loss of the Domain Naming Master does not affect users, you are not able to add or remove domains from the forests

Infrastructure Master (one per domain)

The Infrastructure Master is used to track which objects belong to which domain because it is responsible for reference updates from its domain objects to other domains. When you rename or move a member of a group (and the members that reside in different domains from the group), the Infrastructure Master is respon-sible for updating the group so it knows the new name or location of the member. Typically, the loss of the Infrastructure Master is not visible to users. However, it might be seen if you recently moved or renamed a large number of accounts

Infrastructure Master(one per domain)

The Infrastructure Master is used to track which objects belong to which domain because it is responsible for reference updates from its domain objects to other domains. When you rename or move a member of a group (and the members that reside in different domains from the group), the Infrastructure Master is respon-sible for updating the group so it knows the new name or location of the member. Typically, the loss of the Infrastructure Master is not visible to users. However, it might be seen if you recently moved or renamed a large number of accounts

open the View menu and select Advanced Features

The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these container

Primary Domain Controller (PDC) Emulator (one per domain)

The PDC Emulator was originally created to provide backward compatibility with Windows NT 4.0 domains. It also coordinates password changes, account lockouts, and time synchronization; man-ages edits to Group Policy Objects (GPOs); and acts as a domain master browser (provides a list of workgroups and domains when you browse). When a password is changed, the domain controller that initiates a password change sends the change to the PDC Emulator, which in turn updates the global catalog server and provides immediate replication to other domain controllers in the domain Because the PDC Emulator is the most heavily used role and because of the tasks that it does, it can affect users when it is down. For example, if a password is changed, it might not be immediately rep-licated, which can cause problems when a user tries to access resources. If the system clocks drift too much, users might not be able to log on as Kerberos fails. In addition, account lockout might not work and you might not be able to raise the functional level of a domain

Schema Master (one per forest)

The Schema Master controls all the updates and modifications to the schema. To update the schema of a forest, you must have access to the Schema Master Although the loss of the Schema Master does not affect the users, you cannot modify the schema or install any applications, such as Microsoft Exchange, that would modify the schema. You are also not able to raise the functional level of the forest

global catalog SRV records (_gc)

The global catalogs are identified by

size of your network and its site configuration

The importance of the global catalog varies depending on

Comma-Separated Value Directory Exchange (CSVDE.exe)

This command-line utility creates new AD DS objects by importing information from a comma-separated value (.csv) file.

Windows PowerShell

This currently approved Windows maintenance tool creates object creation scripts of nearly unlimited complexity

Dsadd.exe

This standard command-line tool creates AD DS leaf objects, which you can use with batch files to create AD DS objects in bulk

.cmd or .bat extension

To create multiple objects (including users, groups, or any other object type) by using a batch file, open Notepad and use the Dsadd.exe syntax described previously, by placing a single command on each line. After you enter the commands you need, save the file and name it by using a

pointing to a DNS server for the domain that you just installed. In addition, it is best that the server is joined to the domain

To install a second domain controller, the server should be

Remove Roles and Features Wizard

To remove a domain controller from an AD DS installation, you must begin by running

Windows Server 2008 or later

To upgrade from FRS to DFSR, the domain functional level must be

•You deploy a computer from an image of another computer and you do not use the sys-prep tool to reset the SID. •The computer account is corrupted. •The computer is not connected to the domain network for long periods of time

Unfortunately, from time to time, a computer account can become untrusted when the security identifier (SID) or password is different from those stored in Active Directory. This is done when

Relative Identifier (RID) Master (one per domain)

When a domain controller creates a user, group, or computer object, the RID Master assigns the object a unique security ID (SID). The SID consists of a domain security ID that identifies the domain to which the object belongs and a relative ID that iden-tifies the object within the domain. The RID Master is responsible for assigning relative identifiers to domain controllers in the domain. The RID Master assigns a block of 500 identifiers to each domain controller. When 50% of the supply of RIDs is used, it contacts the RID to request a new supply. Although the loss of the RID Master is not seen by users, it can be seen when administrators are creating objects and the domain runs out of relative IDs to assign. In addition, you will not be able to move objects between domains

-domain user name(domain_name\username) -User Principal Name([email protected])

When a user logs onto a domain, a user can log on using one of two methods

3268

When a user or an application performs a search in Active Directory, a search request is sent to the global catalog over TCP port ___ which is used by Active Directory to direct these requests to a global catalog server

safe cloning, in which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically.

When you clone a domain controller you perform

global catalog server

When you promote a server to a domain controller, you have the option of making the domain controller a ___ If you decline to do so, however, you can still make any domain controller a global catalog server

global catalog

You can make all your domain controllers ___ servers, if you want. The searches will be load balanced, and the replication traffic likely will not overwhelm the network. However, other applications may require a global catalog, such as Microsoft Exchange

Dsadd.exe program

You can write a batch file to create objects in AD DS by following standard batch file rules and calling the ___ You can also use ___ to create, delete, view, and modify Active Directory objects, including users, groups, and OUs

Domain local groups

assign permissions to resources in the same domain as the domain local group. Domain local groups can make permission assignment and maintenance easier to manage

Batch files

commonly used files that can be written by using any text editor

global groups

grant or deny permissions to any resource located within the same domain directly or in in any domain in the forest by adding the global group as a member of a domain local group that has the desired permissions member-ships are replicated only to domain controllers within the same domain. Users with common resource needs should be members of a global group, to facilitate the assignment of per-missions to resources. You can change the membership of the global group as frequently as necessary to provide users with the necessary resource permissions.

serves little purpose other than universal group searches

if your network consists of a single domain, with domain controllers all located at the same site and well connected, the global catalog

critical

if your network consists of multiple domains with domain controllers located at multiple sites connected by WAN links, the global catalog configuration is

Universal groups

like global groups, can organize users according to their resource access needs. You can use them to provide access to resources located in any domain in the forest

adding a domain controller to an existing domain

must configure the computer to use the DNS server that hosts the existing forest or domain, at least during the Active Directory installation. After the installation, you will still need DNS, but you can use the server's own DNS

organizational unit

only the Domain Controllers is an

CSVDE.exe

plaintext file that consists of records saves database information in a uni-versally understandable way command-line utility enables you to import or export Active Directory objects based on a header record, which identifies the attribute contained in each comma-delimited field. The header record is the first line of the text file that uses proper attribute names. To import into AD DS, the attribute names in the CSV file must match the attributes allowed by the Active Directory schema

Organizational units

preferred method of subdividing a domain and the domain administrator must create all other OUs. not considered security principals

1.Grant the source virtualized domain controller the permission to be cloned by adding the source virtualized domain controller to the Cloneable Domain Controllers group. 2.Run the Get‐ADDCCloningExcludedApplicationList cmdlet in PowerShell to determine which services and applications on the domain controller are not compatible with the cloning. 3.Run New‐ADDCCloneConfigFile to create the clone configuration file, which is stored in C:\Windows\NTDS. 4.In Hyper‐V, export and then import the virtual machine of the source domain controller.

primary steps to deploy a cloned virtualized domain controller

LDIFDE.exe

same basic functionality as CSVDE.exe and provides the capability to modify existing records in Active Directory more flexible option modify or delete the objects later, whereas CSVDE.exe does not provide this option

Computer accounts

stored in the Active Directory hier-archy just as user objects are, and they possess many of the same capabilities, such as the following:Computer objects consist of properties that specify the computer's name, where it is located, and who is permitted to manage it. •Computer objects inherit Group Policy settings from container objects, such as domains, sites, and organizational units. •Computer objects can be members of groups and inherit permissions from group objects

global catalogs

stores a full copy of all objects in the domain also has a partial copy of all objects for all other domains in the forest. The partial copy of all objects is used for logon, object searches, and universal group membership s created automatically on the first domain controller in the forest. Optionally, other domain controllers can be configured to serve as ___. As noted earlier, the ___ is an index of all AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers

global catalog server

stores enough information to quickly find users across multiple domains. It also contains information about the user to permit or deny the logon request, such as time restrictions or workstation restrictions

Windows Server 2003

universal group membership replication was introduced, which significantly decreased the amount of replication traffic of universal groups

global catalog

used to resolve the UPN name to a user name

Placing a global catalog server at each site is recommended in this case. The initial replication might generate a lot of traffic, but the savings in the long run should be significant

you do not want users performing AD DS searches that must reach across slow, expensive WAN links to contact domain controllers at other sites

operations master roles guidelines

•Place the domain‐level roles on high‐performance domain controllers. •Do not place the Infrastructure Master on a global catalog server unless you have only one domain or all the domain controllers in your forest are also global catalogs •The Schema Master and Domain Naming Master should be on domain controllers in the forest root domain. •If the Primary Domain Controller (PDC) Emulator becomes overworked, you should offload non-AD DS roles to other servers, upgrade the PDC Emulator, or move the PDC Emulator to a more powerful computer.

global states of an FRS to DFSR upgrade

•Start (State 0): Live AD DS SYSVOL replication between domain controllers is per-formed using FRS. DFSR is not being performed. FRS replication occurs with the SYSVOL folder. •Prepared (State 1): Live AD DS SYSVOL replication between domain controllers is performed using FRS. A separate, behind‐the‐scenes SYSVOL replication using DFSR is performed on the domain controllers in parallel with the live replication. FRS replica-tion occurs with the SYSVOL folder. DSFR occurs with the SYSVOL_DFSR folder. •Redirected (State 2): Live AD DS SYSVOL replication between domain controllers is performed using DFSR. A separate, behind‐the‐scenes SYSVOL replication using FRS is performed on the domain controllers in parallel with the live replication. DFSR occurs with the SYSVOL_DFSR folder. FRS replication occurs with the SYSVOL folder. •Eliminated (State 3): All Live AD DS SYSVOL replication between domain controllers is performed using DFSR. FRS SYSVOL replication is removed, including the SYSVOL folder and its contents, if it was not open during the elimination operation. DFSR occurs with the SYSVOL_DFSR folder.

Domain local groups

•User accounts •Computer accounts •Global groups from any domain in the forest •Universal groups •Domain local groups from the same domain

Universal groups

•User accounts from any domain in the forest and any trusted domain •Computer accounts from any domain in the forest and any trusted domain •Global groups from any domain in the forest •Other universal groups

global groups

•User accounts from the same domain as the global group •Computer accounts from the same domain as the global group •Other global groups from the same domain


Conjuntos de estudio relacionados

Texas Promulgated Contract Forms - Chapter 3

View Set

module 6 quiz: economic influences

View Set

History of Interior Design Final Exam 19'

View Set

Chapter 11: Cardiovascular System Combining Forms, Prefixes, and Suffixes

View Set

Advanced Children and Families Final

View Set

Chapter 38: Assessment and Management of Patients With Rheumatic Disorders Prep-U

View Set

Economics Chapter 9, ECON 131 Final, Ch 16 Review, AP Macro Econ Ch 15 & 16, Test Practice Questions (Exam 3), Chapter 10 Macro Review, Macro Final

View Set